Transparent Tribe New RAT Attacks Indian Government and Academia

What happened

Transparent Tribe new RAT attacks Indian government and academia were uncovered in a fresh cyber-espionage campaign attributed to the threat actor Transparent Tribe (also tracked as APT36), which targeted Indian governmental, academic, and strategic entities with a custom remote access trojan (RAT) delivered via spear-phishing using weaponized Windows shortcut (LNK) files disguised as PDF documents. Opening the file triggered an in-memory RAT payload that evades detection and grants persistent control over infected hosts. 

Who is affected

Indian government departments, academic institutions, and strategic organizations are the primary targets of this campaign. These sectors received carefully crafted spear-phishing emails that leveraged deceptive LNK files to deploy the RAT, enabling attackers to gain remote system access. The campaign appears focused on long-term persistence and intelligence gathering rather than immediate disruption. 

Why CISOs should care

CISOs should care because this campaign demonstrates an escalation in targeted cyber-espionage techniques that combine social engineering with advanced RAT delivery, making detection and prevention more complex. The malicious shortcuts execute in memory to minimize forensic traces and adapt persistence tactics based on installed antivirus tools, challenging traditional endpoint defenses. Protecting critical government and education sector assets requires enhanced email security, threat hunting, and endpoint detection strategies. 

3 practical actions

1. Strengthen phishing defenses: Implement and enforce robust email filtering, attachment scrutiny, and user awareness training to reduce the risk of malicious LNK and spear-phishing delivery.
2. Deploy advanced EDR and memory-analysis tools: Use endpoint detection and response solutions capable of identifying in-memory execution patterns and lateral movement associated with RATs.
3. Hunt and isolate threats proactively: Conduct regular threat hunting exercises focused on unusual startup persistence artifacts and anomalous inbound connections, and isolate suspicious hosts rapidly to contain potential intrusions.